Merge pull request #105919 from ravisantoshgudimetla/ps-restricted-updates

PodSecurity: OS based updates to restricted standard
This commit is contained in:
Kubernetes Prow Robot 2022-07-27 10:02:28 -07:00 committed by GitHub
commit ec905a4611
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
264 changed files with 6756 additions and 17 deletions

View File

@ -52,6 +52,11 @@ func CheckAllowPrivilegeEscalation() Check {
MinimumVersion: api.MajorMinorVersion(1, 8),
CheckPod: allowPrivilegeEscalation_1_8,
},
{
// Starting 1.25, windows pods would be exempted from this check using pod.spec.os field when set to windows.
MinimumVersion: api.MajorMinorVersion(1, 25),
CheckPod: allowPrivilegeEscalation_1_25,
},
},
}
}
@ -77,3 +82,12 @@ func allowPrivilegeEscalation_1_8(podMetadata *metav1.ObjectMeta, podSpec *corev
}
return CheckResult{Allowed: true}
}
func allowPrivilegeEscalation_1_25(podMetadata *metav1.ObjectMeta, podSpec *corev1.PodSpec) CheckResult {
// Pod API validation would have failed if podOS == Windows and if privilegeEscalation has been set.
// We can admit the Windows pod even if privilegeEscalation has not been set.
if podSpec.OS != nil && podSpec.OS.Name == corev1.Windows {
return CheckResult{Allowed: true}
}
return allowPrivilegeEscalation_1_8(podMetadata, podSpec)
}

View File

@ -23,7 +23,66 @@ import (
utilpointer "k8s.io/utils/pointer"
)
func TestAllowPrivilegeEscalation(t *testing.T) {
func TestAllowPrivilegeEscalation_1_25(t *testing.T) {
tests := []struct {
name string
pod *corev1.Pod
expectReason string
expectDetail string
allowed bool
}{
{
name: "multiple containers",
pod: &corev1.Pod{Spec: corev1.PodSpec{
Containers: []corev1.Container{
{Name: "a"},
{Name: "b", SecurityContext: &corev1.SecurityContext{AllowPrivilegeEscalation: nil}},
{Name: "c", SecurityContext: &corev1.SecurityContext{AllowPrivilegeEscalation: utilpointer.Bool(true)}},
{Name: "d", SecurityContext: &corev1.SecurityContext{AllowPrivilegeEscalation: utilpointer.Bool(false)}},
}}},
expectReason: `allowPrivilegeEscalation != false`,
expectDetail: `containers "a", "b", "c" must set securityContext.allowPrivilegeEscalation=false`,
allowed: false,
},
{
name: "windows pod, admit without checking privilegeEscalation",
pod: &corev1.Pod{Spec: corev1.PodSpec{
OS: &corev1.PodOS{Name: corev1.Windows},
Containers: []corev1.Container{
{Name: "a"},
}}},
allowed: true,
},
{
name: "linux pod, reject if security context is not set",
pod: &corev1.Pod{Spec: corev1.PodSpec{
OS: &corev1.PodOS{Name: corev1.Linux},
Containers: []corev1.Container{
{Name: "a"},
}}},
expectReason: `allowPrivilegeEscalation != false`,
expectDetail: `container "a" must set securityContext.allowPrivilegeEscalation=false`,
allowed: false,
},
}
for _, tc := range tests {
t.Run(tc.name, func(t *testing.T) {
result := allowPrivilegeEscalation_1_25(&tc.pod.ObjectMeta, &tc.pod.Spec)
if result.Allowed && !tc.allowed {
t.Fatal("expected disallowed")
}
if e, a := tc.expectReason, result.ForbiddenReason; e != a {
t.Errorf("expected\n%s\ngot\n%s", e, a)
}
if e, a := tc.expectDetail, result.ForbiddenDetail; e != a {
t.Errorf("expected\n%s\ngot\n%s", e, a)
}
})
}
}
func TestAllowPrivilegeEscalation_1_8(t *testing.T) {
tests := []struct {
name string
pod *corev1.Pod

View File

@ -66,6 +66,12 @@ func CheckCapabilitiesRestricted() Check {
CheckPod: capabilitiesRestricted_1_22,
OverrideCheckIDs: []CheckID{checkCapabilitiesBaselineID},
},
// Starting 1.25, windows pods would be exempted from this check using pod.spec.os field when set to windows.
{
MinimumVersion: api.MajorMinorVersion(1, 25),
CheckPod: capabilitiesRestricted_1_25,
OverrideCheckIDs: []CheckID{checkCapabilitiesBaselineID},
},
},
}
}
@ -128,3 +134,12 @@ func capabilitiesRestricted_1_22(podMetadata *metav1.ObjectMeta, podSpec *corev1
}
return CheckResult{Allowed: true}
}
func capabilitiesRestricted_1_25(podMetadata *metav1.ObjectMeta, podSpec *corev1.PodSpec) CheckResult {
// Pod API validation would have failed if podOS == Windows and if capabilities have been set.
// We can admit the Windows pod even if capabilities has not been set.
if podSpec.OS != nil && podSpec.OS.Name == corev1.Windows {
return CheckResult{Allowed: true}
}
return capabilitiesRestricted_1_22(podMetadata, podSpec)
}

View File

@ -22,7 +22,63 @@ import (
corev1 "k8s.io/api/core/v1"
)
func TestCapabilitiesRestricted(t *testing.T) {
func TestCapabilitiesRestricted_1_25(t *testing.T) {
tests := []struct {
name string
pod *corev1.Pod
expectReason string
expectDetail string
allowed bool
}{
{
name: "multiple containers",
pod: &corev1.Pod{Spec: corev1.PodSpec{
Containers: []corev1.Container{
{Name: "a", SecurityContext: &corev1.SecurityContext{Capabilities: &corev1.Capabilities{Add: []corev1.Capability{"FOO", "BAR"}}}},
{Name: "b", SecurityContext: &corev1.SecurityContext{Capabilities: &corev1.Capabilities{Add: []corev1.Capability{"BAR", "BAZ"}}}},
{Name: "c", SecurityContext: &corev1.SecurityContext{Capabilities: &corev1.Capabilities{Add: []corev1.Capability{"NET_BIND_SERVICE", "CHOWN"}, Drop: []corev1.Capability{"ALL", "FOO"}}}},
}}},
expectReason: `unrestricted capabilities`,
expectDetail: `containers "a", "b" must set securityContext.capabilities.drop=["ALL"]; containers "a", "b", "c" must not include "BAR", "BAZ", "CHOWN", "FOO" in securityContext.capabilities.add`,
},
{
name: "windows pod, admit without checking capabilities",
pod: &corev1.Pod{Spec: corev1.PodSpec{
OS: &corev1.PodOS{Name: corev1.Windows},
Containers: []corev1.Container{
{Name: "a"},
}}},
allowed: true,
},
{
name: "linux pod, reject if security context is not set",
pod: &corev1.Pod{Spec: corev1.PodSpec{
OS: &corev1.PodOS{Name: corev1.Linux},
Containers: []corev1.Container{
{Name: "a"},
}}},
expectReason: `unrestricted capabilities`,
expectDetail: `container "a" must set securityContext.capabilities.drop=["ALL"]`,
allowed: false,
},
}
for _, tc := range tests {
t.Run(tc.name, func(t *testing.T) {
result := capabilitiesRestricted_1_25(&tc.pod.ObjectMeta, &tc.pod.Spec)
if result.Allowed && !tc.allowed {
t.Fatal("expected disallowed")
}
if e, a := tc.expectReason, result.ForbiddenReason; e != a {
t.Errorf("expected\n%s\ngot\n%s", e, a)
}
if e, a := tc.expectDetail, result.ForbiddenDetail; e != a {
t.Errorf("expected\n%s\ngot\n%s", e, a)
}
})
}
}
func TestCapabilitiesRestricted_1_22(t *testing.T) {
tests := []struct {
name string
pod *corev1.Pod
@ -41,7 +97,6 @@ func TestCapabilitiesRestricted(t *testing.T) {
expectDetail: `containers "a", "b" must set securityContext.capabilities.drop=["ALL"]; containers "a", "b", "c" must not include "BAR", "BAZ", "CHOWN", "FOO" in securityContext.capabilities.add`,
},
}
for _, tc := range tests {
t.Run(tc.name, func(t *testing.T) {
result := capabilitiesRestricted_1_22(&tc.pod.ObjectMeta, &tc.pod.Spec)

View File

@ -55,6 +55,12 @@ func CheckSeccompProfileRestricted() Check {
CheckPod: seccompProfileRestricted_1_19,
OverrideCheckIDs: []CheckID{checkSeccompBaselineID},
},
// Starting 1.25, windows pods would be exempted from this check using pod.spec.os field when set to windows.
{
MinimumVersion: api.MajorMinorVersion(1, 25),
CheckPod: seccompProfileRestricted_1_25,
OverrideCheckIDs: []CheckID{checkSeccompBaselineID},
},
},
}
}
@ -136,3 +142,14 @@ func seccompProfileRestricted_1_19(podMetadata *metav1.ObjectMeta, podSpec *core
return CheckResult{Allowed: true}
}
// seccompProfileRestricted_1_25 checks restricted policy on securityContext.seccompProfile field for kubernetes
// version 1.25 and above
func seccompProfileRestricted_1_25(podMetadata *metav1.ObjectMeta, podSpec *corev1.PodSpec) CheckResult {
// Pod API validation would have failed if podOS == Windows and if secCompProfile has been set.
// We can admit the Windows pod even if seccompProfile has not been set.
if podSpec.OS != nil && podSpec.OS.Name == corev1.Windows {
return CheckResult{Allowed: true}
}
return seccompProfileRestricted_1_19(podMetadata, podSpec)
}

View File

@ -22,7 +22,105 @@ import (
corev1 "k8s.io/api/core/v1"
)
func TestSeccompProfileRestricted(t *testing.T) {
func TestSeccompProfileRestricted_1_25(t *testing.T) {
tests := []struct {
name string
pod *corev1.Pod
expectReason string
expectDetail string
allowed bool
}{
{
name: "no explicit seccomp",
pod: &corev1.Pod{Spec: corev1.PodSpec{
Containers: []corev1.Container{
{Name: "a"},
},
}},
expectReason: `seccompProfile`,
expectDetail: `pod or container "a" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost"`,
},
{
name: "no explicit seccomp, windows Pod",
pod: &corev1.Pod{Spec: corev1.PodSpec{
OS: &corev1.PodOS{Name: corev1.Windows},
Containers: []corev1.Container{
{Name: "a"},
},
}},
allowed: true,
},
{
name: "no explicit seccomp, linux pod",
pod: &corev1.Pod{Spec: corev1.PodSpec{
OS: &corev1.PodOS{Name: corev1.Linux},
Containers: []corev1.Container{
{Name: "a"},
},
}},
expectReason: `seccompProfile`,
expectDetail: `pod or container "a" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost"`,
allowed: false,
},
{
name: "pod seccomp invalid",
pod: &corev1.Pod{Spec: corev1.PodSpec{
SecurityContext: &corev1.PodSecurityContext{SeccompProfile: &corev1.SeccompProfile{Type: corev1.SeccompProfileTypeUnconfined}},
Containers: []corev1.Container{
{Name: "a", SecurityContext: nil},
},
}},
expectReason: `seccompProfile`,
expectDetail: `pod must not set securityContext.seccompProfile.type to "Unconfined"`,
},
{
name: "containers seccomp invalid",
pod: &corev1.Pod{Spec: corev1.PodSpec{
SecurityContext: &corev1.PodSecurityContext{SeccompProfile: &corev1.SeccompProfile{Type: corev1.SeccompProfileTypeRuntimeDefault}},
Containers: []corev1.Container{
{Name: "a", SecurityContext: nil},
{Name: "b", SecurityContext: &corev1.SecurityContext{}},
{Name: "c", SecurityContext: &corev1.SecurityContext{SeccompProfile: &corev1.SeccompProfile{Type: corev1.SeccompProfileTypeUnconfined}}},
{Name: "d", SecurityContext: &corev1.SecurityContext{SeccompProfile: &corev1.SeccompProfile{Type: corev1.SeccompProfileTypeUnconfined}}},
{Name: "e", SecurityContext: &corev1.SecurityContext{SeccompProfile: &corev1.SeccompProfile{Type: corev1.SeccompProfileTypeRuntimeDefault}}},
{Name: "f", SecurityContext: &corev1.SecurityContext{SeccompProfile: &corev1.SeccompProfile{Type: corev1.SeccompProfileTypeRuntimeDefault}}},
},
}},
expectReason: `seccompProfile`,
expectDetail: `containers "c", "d" must not set securityContext.seccompProfile.type to "Unconfined"`,
},
{
name: "pod nil, container fallthrough",
pod: &corev1.Pod{Spec: corev1.PodSpec{
Containers: []corev1.Container{
{Name: "a", SecurityContext: nil},
{Name: "b", SecurityContext: &corev1.SecurityContext{}},
{Name: "d", SecurityContext: &corev1.SecurityContext{SeccompProfile: &corev1.SeccompProfile{Type: corev1.SeccompProfileTypeRuntimeDefault}}},
{Name: "e", SecurityContext: &corev1.SecurityContext{SeccompProfile: &corev1.SeccompProfile{Type: corev1.SeccompProfileTypeRuntimeDefault}}},
},
}},
expectReason: `seccompProfile`,
expectDetail: `pod or containers "a", "b" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost"`,
},
}
for _, tc := range tests {
t.Run(tc.name, func(t *testing.T) {
result := seccompProfileRestricted_1_25(&tc.pod.ObjectMeta, &tc.pod.Spec)
if result.Allowed && !tc.allowed {
t.Fatal("expected disallowed")
}
if e, a := tc.expectReason, result.ForbiddenReason; e != a {
t.Errorf("expected\n%s\ngot\n%s", e, a)
}
if e, a := tc.expectDetail, result.ForbiddenDetail; e != a {
t.Errorf("expected\n%s\ngot\n%s", e, a)
}
})
}
}
func TestSeccompProfileRestricted_1_19(t *testing.T) {
tests := []struct {
name string
pod *corev1.Pod

View File

@ -26,14 +26,37 @@ import (
"k8s.io/utils/pointer"
)
// minimalValidPods holds minimal valid pods per-level per-version.
// minimalValidPods holds minimal valid OS neutral pods per-level per-version.
// To get a valid pod for a particular level/version, use getMinimalValidPod().
var minimalValidPods = map[api.Level]map[api.Version]*corev1.Pod{}
// minimalValidLinuxPods holds minimal valid linux pods per-level per-version.
// To get a valid pod for a particular level/version, use getMinimalValidPod().
var minimalValidLinuxPods = map[api.Level]map[api.Version]*corev1.Pod{}
// minimalValidWindowsPods holds minimal valid Windows pods per-level per-version.
// To get a valid pod for a particular level/version, use getMinimalValidPod().
var minimalValidWindowsPods = map[api.Level]map[api.Version]*corev1.Pod{}
func addLinux(pod *corev1.Pod) *corev1.Pod {
copyPod := pod.DeepCopy()
copyPod.Spec.OS = &corev1.PodOS{Name: corev1.Linux}
return copyPod
}
func addWindows(pod *corev1.Pod) *corev1.Pod {
copyPod := pod.DeepCopy()
copyPod.Spec.OS = &corev1.PodOS{Name: corev1.Windows}
return copyPod
}
func init() {
// These are the OS neutral pods
minimalValidPods[api.LevelBaseline] = map[api.Version]*corev1.Pod{}
minimalValidPods[api.LevelRestricted] = map[api.Version]*corev1.Pod{}
minimalValidLinuxPods[api.LevelRestricted] = map[api.Version]*corev1.Pod{}
minimalValidWindowsPods[api.LevelRestricted] = map[api.Version]*corev1.Pod{}
// Define minimal valid baseline pod.
// This must remain valid for all versions.
baseline_1_0 := &corev1.Pod{Spec: corev1.PodSpec{
@ -50,6 +73,8 @@ func init() {
p.Spec.SecurityContext = &corev1.PodSecurityContext{RunAsNonRoot: pointer.BoolPtr(true)}
})
minimalValidPods[api.LevelRestricted][api.MajorMinorVersion(1, 0)] = restricted_1_0
minimalValidLinuxPods[api.LevelRestricted][api.MajorMinorVersion(1, 0)] = addLinux(restricted_1_0)
minimalValidWindowsPods[api.LevelRestricted][api.MajorMinorVersion(1, 0)] = addWindows(restricted_1_0)
// 1.8+: allowPrivilegeEscalation=false
restricted_1_8 := tweak(restricted_1_0, func(p *corev1.Pod) {
@ -57,6 +82,8 @@ func init() {
p.Spec.InitContainers[0].SecurityContext = &corev1.SecurityContext{AllowPrivilegeEscalation: pointer.BoolPtr(false)}
})
minimalValidPods[api.LevelRestricted][api.MajorMinorVersion(1, 8)] = restricted_1_8
minimalValidLinuxPods[api.LevelRestricted][api.MajorMinorVersion(1, 8)] = addLinux(restricted_1_8)
minimalValidWindowsPods[api.LevelRestricted][api.MajorMinorVersion(1, 8)] = addWindows(restricted_1_8)
// 1.19+: seccompProfile.type=RuntimeDefault
restricted_1_19 := tweak(restricted_1_8, func(p *corev1.Pod) {
@ -66,6 +93,8 @@ func init() {
}
})
minimalValidPods[api.LevelRestricted][api.MajorMinorVersion(1, 19)] = restricted_1_19
minimalValidLinuxPods[api.LevelRestricted][api.MajorMinorVersion(1, 19)] = addLinux(restricted_1_19)
minimalValidWindowsPods[api.LevelRestricted][api.MajorMinorVersion(1, 19)] = addWindows(restricted_1_19)
// 1.22+: capabilities.drop=["ALL"]
restricted_1_22 := tweak(restricted_1_19, func(p *corev1.Pod) {
@ -73,9 +102,19 @@ func init() {
p.Spec.InitContainers[0].SecurityContext.Capabilities = &corev1.Capabilities{Drop: []corev1.Capability{"ALL"}}
})
minimalValidPods[api.LevelRestricted][api.MajorMinorVersion(1, 22)] = restricted_1_22
minimalValidLinuxPods[api.LevelRestricted][api.MajorMinorVersion(1, 22)] = addLinux(restricted_1_22)
minimalValidWindowsPods[api.LevelRestricted][api.MajorMinorVersion(1, 22)] = addWindows(restricted_1_22)
// 1.25+: OS specific changes
minimalValidPods[api.LevelRestricted][api.MajorMinorVersion(1, 25)] = restricted_1_22
minimalValidLinuxPods[api.LevelRestricted][api.MajorMinorVersion(1, 25)] = addLinux(restricted_1_22)
// none of the restricted requirements added between 1.0 and 1.25 apply to the pods that are explicitly Windows
restricted_1_25_windows := addWindows(restricted_1_0)
minimalValidWindowsPods[api.LevelRestricted][api.MajorMinorVersion(1, 25)] = restricted_1_25_windows
}
// GetMinimalValidPod returns a minimal valid pod for the specified level and version.
// GetMinimalValidPod returns a minimal valid OS neutral pod for the specified level and version.
func GetMinimalValidPod(level api.Level, version api.Version) (*corev1.Pod, error) {
originalVersion := version
for {
@ -90,6 +129,36 @@ func GetMinimalValidPod(level api.Level, version api.Version) (*corev1.Pod, erro
}
}
// GetMinimalValidLinuxPod returns a minimal valid linux pod for the specified level and version.
func GetMinimalValidLinuxPod(level api.Level, version api.Version) (*corev1.Pod, error) {
originalVersion := version
for {
pod, exists := minimalValidLinuxPods[level][version]
if exists {
return pod.DeepCopy(), nil
}
if version.Minor() <= 0 {
return nil, fmt.Errorf("no valid pod fixture found in specified or older versions for %s/%s", level, originalVersion.String())
}
version = api.MajorMinorVersion(version.Major(), version.Minor()-1)
}
}
// GetMinimalValidWindowsPod returns a minimal valid windows pod for the specified level and version.
func GetMinimalValidWindowsPod(level api.Level, version api.Version) (*corev1.Pod, error) {
originalVersion := version
for {
pod, exists := minimalValidWindowsPods[level][version]
if exists {
return pod.DeepCopy(), nil
}
if version.Minor() <= 0 {
return nil, fmt.Errorf("no valid pod fixture found in specified or older versions for %s/%s", level, originalVersion.String())
}
version = api.MajorMinorVersion(version.Major(), version.Minor()-1)
}
}
// fixtureGenerators holds fixture generators per-level per-version.
// To add generators, use registerFixtureGenerator().
// To get fixtures for a particular level/version, use getFixtures().

View File

@ -38,6 +38,9 @@ func init() {
return nil
},
generateFail: func(p *corev1.Pod) []*corev1.Pod {
if p.Spec.OS != nil && p.Spec.OS.Name == corev1.Windows {
return []*corev1.Pod{}
}
return []*corev1.Pod{
// explicit true
tweak(p, func(p *corev1.Pod) {

View File

@ -46,8 +46,6 @@ func TestFixtures(t *testing.T) {
defaultChecks := policy.DefaultChecks()
const newestMinorVersionToTest = 23
policyVersions := computeVersionsToTest(t, defaultChecks)
newestMinorVersionWithPolicyChanges := policyVersions[len(policyVersions)-1].Minor()
@ -61,11 +59,25 @@ func TestFixtures(t *testing.T) {
failDir := filepath.Join("testdata", string(level), fmt.Sprintf("v1.%d", version), "fail")
// render the minimal valid pod fixture
validPod, err := GetMinimalValidPod(level, api.MajorMinorVersion(1, version))
osNeutralPod, err := GetMinimalValidPod(level, api.MajorMinorVersion(1, version))
if err != nil {
t.Fatal(err)
}
expectedFiles.Insert(testFixtureFile(t, passDir, "base", validPod))
expectedFiles.Insert(testFixtureFile(t, passDir, "base", osNeutralPod))
// Don't generate OS specific pods when version < 1.25 as pod os field based restriction is not enabled.
if level == api.LevelRestricted && version >= podOSBasedRestrictionEnabledVersion {
linuxPod, err := GetMinimalValidLinuxPod(level, api.MajorMinorVersion(1, version))
if err != nil {
t.Fatal(err)
}
expectedFiles.Insert(testFixtureFile(t, passDir, "base_linux", linuxPod))
windowsPod, err := GetMinimalValidWindowsPod(level, api.MajorMinorVersion(1, version))
if err != nil {
t.Fatal(err)
}
expectedFiles.Insert(testFixtureFile(t, passDir, "base_windows", windowsPod))
}
// render check-specific fixtures
checkIDs, err := checksForLevelAndVersion(defaultChecks, level, api.MajorMinorVersion(1, version))

View File

@ -36,6 +36,11 @@ import (
"k8s.io/pod-security-admission/policy"
)
const (
newestMinorVersionToTest = 25
podOSBasedRestrictionEnabledVersion = 25
)
// Options hold configuration for running integration tests against an existing server.
type Options struct {
// ClientConfig is a client configuration with sufficient permission to create, update, and delete
@ -115,13 +120,28 @@ func computeVersionsToTest(t *testing.T, checks []policy.Check) []api.Version {
}
}
for _, versionsForLevel := range minimalValidLinuxPods {
for version := range versionsForLevel {
if version.Major() != 1 {
t.Fatalf("expected major version 1, got %d", version.Major())
}
seenVersions[version] = true
}
}
for _, versionsForLevel := range minimalValidWindowsPods {
for version := range versionsForLevel {
if version.Major() != 1 {
t.Fatalf("expected major version 1, got %d", version.Major())
}
seenVersions[version] = true
}
}
alwaysIncludeVersions := []api.Version{
// include the oldest version by default
api.MajorMinorVersion(1, 0),
// include the release under development (1.23 at time of writing).
// this can be incremented to the current version whenever is convenient.
// TODO: find a way to use api.LatestVersion() here
api.MajorMinorVersion(1, 23),
api.MajorMinorVersion(1, newestMinorVersionToTest),
}
for _, version := range alwaysIncludeVersions {
seenVersions[version] = true
@ -296,13 +316,36 @@ func Run(t *testing.T, opts Options) {
}
}
minimalValidPod, err := GetMinimalValidPod(level, version)
minimalValidOSNeutralPod, err := GetMinimalValidPod(level, version)
if err != nil {
t.Fatal(err)
}
var minimalValidLinuxPod, minimalValidWindowsPod *corev1.Pod
if level == api.LevelRestricted && version.Minor() >= podOSBasedRestrictionEnabledVersion {
minimalValidLinuxPod, err = GetMinimalValidLinuxPod(level, version)
if err != nil {
t.Fatal(err)
}
minimalValidWindowsPod, err = GetMinimalValidWindowsPod(level, version)
if err != nil {
t.Fatal(err)
}
}
t.Run(ns+"_pass_base", func(t *testing.T) {
createPod(t, 0, minimalValidPod.DeepCopy(), true, "")
createController(t, 0, minimalValidPod.DeepCopy(), true, "")
createPod(t, 0, minimalValidOSNeutralPod.DeepCopy(), true, "")
createController(t, 0, minimalValidOSNeutralPod.DeepCopy(), true, "")
if minimalValidLinuxPod != nil && minimalValidWindowsPod != nil {
// Linux specific pods
createPod(t, 0, minimalValidLinuxPod.DeepCopy(), true, "")
createController(t, 0, minimalValidLinuxPod.DeepCopy(), true, "")
// Windows specific pods
createPod(t, 0, minimalValidWindowsPod.DeepCopy(), true, "")
createController(t, 0, minimalValidWindowsPod.DeepCopy(), true, "")
}
})
checkIDs, err := checksForLevelAndVersion(opts.Checks, level, version)

View File

@ -0,0 +1,13 @@
apiVersion: v1
kind: Pod
metadata:
annotations:
container.apparmor.security.beta.kubernetes.io/container1: unconfined
name: apparmorprofile0
spec:
containers:
- image: k8s.gcr.io/pause
name: container1
initContainers:
- image: k8s.gcr.io/pause
name: initcontainer1

View File

@ -0,0 +1,13 @@
apiVersion: v1
kind: Pod
metadata:
annotations:
container.apparmor.security.beta.kubernetes.io/initcontainer1: unconfined
name: apparmorprofile1
spec:
containers:
- image: k8s.gcr.io/pause
name: container1
initContainers:
- image: k8s.gcr.io/pause
name: initcontainer1

View File

@ -0,0 +1,18 @@
apiVersion: v1
kind: Pod
metadata:
name: capabilities_baseline0
spec:
containers:
- image: k8s.gcr.io/pause
name: container1
securityContext:
capabilities:
add:
- NET_RAW
initContainers:
- image: k8s.gcr.io/pause
name: initcontainer1
securityContext:
capabilities: {}
securityContext: {}

View File

@ -0,0 +1,18 @@
apiVersion: v1
kind: Pod
metadata:
name: capabilities_baseline1
spec:
containers:
- image: k8s.gcr.io/pause
name: container1
securityContext:
capabilities: {}
initContainers:
- image: k8s.gcr.io/pause
name: initcontainer1
securityContext:
capabilities:
add:
- NET_RAW
securityContext: {}

View File

@ -0,0 +1,18 @@
apiVersion: v1
kind: Pod
metadata:
name: capabilities_baseline2
spec:
containers:
- image: k8s.gcr.io/pause
name: container1
securityContext:
capabilities:
add:
- chown
initContainers:
- image: k8s.gcr.io/pause
name: initcontainer1
securityContext:
capabilities: {}
securityContext: {}

View File

@ -0,0 +1,18 @@
apiVersion: v1
kind: Pod
metadata:
name: capabilities_baseline3
spec:
containers:
- image: k8s.gcr.io/pause
name: container1
securityContext:
capabilities:
add:
- CAP_CHOWN
initContainers:
- image: k8s.gcr.io/pause
name: initcontainer1
securityContext:
capabilities: {}
securityContext: {}

View File

@ -0,0 +1,12 @@
apiVersion: v1
kind: Pod
metadata:
name: hostnamespaces0
spec:
containers:
- image: k8s.gcr.io/pause
name: container1
hostIPC: true
initContainers:
- image: k8s.gcr.io/pause
name: initcontainer1

View File

@ -0,0 +1,12 @@
apiVersion: v1
kind: Pod
metadata:
name: hostnamespaces1
spec:
containers:
- image: k8s.gcr.io/pause
name: container1
hostNetwork: true
initContainers:
- image: k8s.gcr.io/pause
name: initcontainer1

View File

@ -0,0 +1,12 @@
apiVersion: v1
kind: Pod
metadata:
name: hostnamespaces2
spec:
containers:
- image: k8s.gcr.io/pause
name: container1
hostPID: true
initContainers:
- image: k8s.gcr.io/pause
name: initcontainer1

View File

@ -0,0 +1,17 @@
apiVersion: v1
kind: Pod
metadata:
name: hostpathvolumes0
spec:
containers:
- image: k8s.gcr.io/pause
name: container1
initContainers:
- image: k8s.gcr.io/pause
name: initcontainer1
volumes:
- emptyDir: {}
name: volume-emptydir
- hostPath:
path: /a
name: volume-hostpath

View File

@ -0,0 +1,18 @@
apiVersion: v1
kind: Pod
metadata:
name: hostpathvolumes1
spec:
containers:
- image: k8s.gcr.io/pause
name: container1
initContainers:
- image: k8s.gcr.io/pause
name: initcontainer1
volumes:
- hostPath:
path: /a
name: volume-hostpath-a
- hostPath:
path: /b
name: volume-hostpath-b

View File

@ -0,0 +1,14 @@
apiVersion: v1
kind: Pod
metadata:
name: hostports0
spec:
containers:
- image: k8s.gcr.io/pause
name: container1
ports:
- containerPort: 12345
hostPort: 12345
initContainers:
- image: k8s.gcr.io/pause
name: initcontainer1

View File

@ -0,0 +1,14 @@
apiVersion: v1
kind: Pod
metadata:
name: hostports1
spec:
containers:
- image: k8s.gcr.io/pause
name: container1
initContainers:
- image: k8s.gcr.io/pause
name: initcontainer1
ports:
- containerPort: 12346
hostPort: 12346

View File

@ -0,0 +1,19 @@
apiVersion: v1
kind: Pod
metadata:
name: hostports2
spec:
containers:
- image: k8s.gcr.io/pause
name: container1
ports:
- containerPort: 12345
hostPort: 12345
- containerPort: 12347
initContainers:
- image: k8s.gcr.io/pause
name: initcontainer1
ports:
- containerPort: 12346
hostPort: 12346
- containerPort: 12348

View File

@ -0,0 +1,15 @@
apiVersion: v1
kind: Pod
metadata:
name: privileged0
spec:
containers:
- image: k8s.gcr.io/pause
name: container1
securityContext:
privileged: true
initContainers:
- image: k8s.gcr.io/pause
name: initcontainer1
securityContext: {}
securityContext: {}

View File

@ -0,0 +1,15 @@
apiVersion: v1
kind: Pod
metadata:
name: privileged1
spec:
containers:
- image: k8s.gcr.io/pause
name: container1
securityContext: {}
initContainers:
- image: k8s.gcr.io/pause
name: initcontainer1
securityContext:
privileged: true
securityContext: {}

View File

@ -0,0 +1,15 @@
apiVersion: v1
kind: Pod
metadata:
name: procmount0
spec:
containers:
- image: k8s.gcr.io/pause
name: container1
securityContext:
procMount: Unmasked
initContainers:
- image: k8s.gcr.io/pause
name: initcontainer1
securityContext: {}
securityContext: {}

View File

@ -0,0 +1,15 @@
apiVersion: v1
kind: Pod
metadata:
name: procmount1
spec:
containers:
- image: k8s.gcr.io/pause
name: container1
securityContext: {}
initContainers:
- image: k8s.gcr.io/pause
name: initcontainer1
securityContext:
procMount: Unmasked
securityContext: {}

View File

@ -0,0 +1,16 @@
apiVersion: v1
kind: Pod
metadata:
name: seccompprofile_baseline0
spec:
containers:
- image: k8s.gcr.io/pause
name: container1
securityContext: {}
initContainers:
- image: k8s.gcr.io/pause
name: initcontainer1
securityContext: {}
securityContext:
seccompProfile:
type: Unconfined

View File

@ -0,0 +1,16 @@
apiVersion: v1
kind: Pod
metadata:
name: seccompprofile_baseline1
spec:
containers:
- image: k8s.gcr.io/pause
name: container1
securityContext:
seccompProfile:
type: Unconfined
initContainers:
- image: k8s.gcr.io/pause
name: initcontainer1
securityContext: {}
securityContext: {}

View File

@ -0,0 +1,16 @@
apiVersion: v1
kind: Pod
metadata:
name: seccompprofile_baseline2
spec:
containers:
- image: k8s.gcr.io/pause
name: container1
securityContext: {}
initContainers:
- image: k8s.gcr.io/pause
name: initcontainer1
securityContext:
seccompProfile:
type: Unconfined
securityContext: {}

View File

@ -0,0 +1,18 @@
apiVersion: v1
kind: Pod
metadata:
name: selinuxoptions0
spec:
containers:
- image: k8s.gcr.io/pause
name: container1
securityContext:
seLinuxOptions: {}
initContainers:
- image: k8s.gcr.io/pause
name: initcontainer1
securityContext:
seLinuxOptions: {}
securityContext:
seLinuxOptions:
type: somevalue

View File

@ -0,0 +1,18 @@
apiVersion: v1
kind: Pod
metadata:
name: selinuxoptions1
spec:
containers:
- image: k8s.gcr.io/pause
name: container1
securityContext:
seLinuxOptions:
type: somevalue
initContainers:
- image: k8s.gcr.io/pause
name: initcontainer1
securityContext:
seLinuxOptions: {}
securityContext:
seLinuxOptions: {}

View File

@ -0,0 +1,18 @@
apiVersion: v1
kind: Pod
metadata:
name: selinuxoptions2
spec:
containers:
- image: k8s.gcr.io/pause
name: container1
securityContext:
seLinuxOptions: {}
initContainers:
- image: k8s.gcr.io/pause
name: initcontainer1
securityContext:
seLinuxOptions:
type: somevalue
securityContext:
seLinuxOptions: {}

View File

@ -0,0 +1,18 @@
apiVersion: v1
kind: Pod
metadata:
name: selinuxoptions3
spec:
containers:
- image: k8s.gcr.io/pause
name: container1
securityContext:
seLinuxOptions: {}
initContainers:
- image: k8s.gcr.io/pause
name: initcontainer1
securityContext:
seLinuxOptions: {}
securityContext:
seLinuxOptions:
user: somevalue

View File

@ -0,0 +1,18 @@
apiVersion: v1
kind: Pod
metadata:
name: selinuxoptions4
spec:
containers:
- image: k8s.gcr.io/pause
name: container1
securityContext:
seLinuxOptions: {}
initContainers:
- image: k8s.gcr.io/pause
name: initcontainer1
securityContext:
seLinuxOptions: {}
securityContext:
seLinuxOptions:
role: somevalue

View File

@ -0,0 +1,15 @@
apiVersion: v1
kind: Pod
metadata:
name: sysctls0
spec:
containers:
- image: k8s.gcr.io/pause
name: container1
initContainers:
- image: k8s.gcr.io/pause
name: initcontainer1
securityContext:
sysctls:
- name: othersysctl
value: other

View File

@ -0,0 +1,19 @@
apiVersion: v1
kind: Pod
metadata:
name: windowshostprocess0
spec:
containers:
- image: k8s.gcr.io/pause
name: container1
securityContext:
windowsOptions: {}
hostNetwork: true
initContainers:
- image: k8s.gcr.io/pause
name: initcontainer1
securityContext:
windowsOptions: {}
securityContext:
windowsOptions:
hostProcess: true

View File

@ -0,0 +1,20 @@
apiVersion: v1
kind: Pod
metadata:
name: windowshostprocess1
spec:
containers:
- image: k8s.gcr.io/pause
name: container1
securityContext:
windowsOptions:
hostProcess: true
hostNetwork: true
initContainers:
- image: k8s.gcr.io/pause
name: initcontainer1
securityContext:
windowsOptions:
hostProcess: true
securityContext:
windowsOptions: {}

View File

@ -0,0 +1,13 @@
apiVersion: v1
kind: Pod
metadata:
annotations:
container.apparmor.security.beta.kubernetes.io/container1: localhost/foo
name: apparmorprofile0
spec:
containers:
- image: k8s.gcr.io/pause
name: container1
initContainers:
- image: k8s.gcr.io/pause
name: initcontainer1

View File

@ -0,0 +1,11 @@
apiVersion: v1
kind: Pod
metadata:
name: base
spec:
containers:
- image: k8s.gcr.io/pause
name: container1
initContainers:
- image: k8s.gcr.io/pause
name: initcontainer1

View File

@ -0,0 +1,44 @@
apiVersion: v1
kind: Pod
metadata:
name: capabilities_baseline0
spec:
containers:
- image: k8s.gcr.io/pause
name: container1
securityContext:
capabilities:
add:
- AUDIT_WRITE
- CHOWN
- DAC_OVERRIDE
- FOWNER
- FSETID
- KILL
- MKNOD
- NET_BIND_SERVICE
- SETFCAP
- SETGID
- SETPCAP
- SETUID
- SYS_CHROOT
initContainers:
- image: k8s.gcr.io/pause
name: initcontainer1
securityContext:
capabilities:
add:
- AUDIT_WRITE
- CHOWN
- DAC_OVERRIDE
- FOWNER
- FSETID
- KILL
- MKNOD
- NET_BIND_SERVICE
- SETFCAP
- SETGID
- SETPCAP
- SETUID
- SYS_CHROOT
securityContext: {}

View File

@ -0,0 +1,15 @@
apiVersion: v1
kind: Pod
metadata:
name: hostports0
spec:
containers:
- image: k8s.gcr.io/pause
name: container1
ports:
- containerPort: 12345
initContainers:
- image: k8s.gcr.io/pause
name: initcontainer1
ports:
- containerPort: 12346

View File

@ -0,0 +1,16 @@
apiVersion: v1
kind: Pod
metadata:
name: privileged0
spec:
containers:
- image: k8s.gcr.io/pause
name: container1
securityContext:
privileged: false
initContainers:
- image: k8s.gcr.io/pause
name: initcontainer1
securityContext:
privileged: false
securityContext: {}

View File

@ -0,0 +1,16 @@
apiVersion: v1
kind: Pod
metadata:
name: procmount0
spec:
containers:
- image: k8s.gcr.io/pause
name: container1
securityContext:
procMount: Default
initContainers:
- image: k8s.gcr.io/pause
name: initcontainer1
securityContext:
procMount: Default
securityContext: {}

View File

@ -0,0 +1,18 @@
apiVersion: v1
kind: Pod
metadata:
name: seccompprofile_baseline0
spec:
containers:
- image: k8s.gcr.io/pause
name: container1
securityContext:
seccompProfile:
type: RuntimeDefault
initContainers:
- image: k8s.gcr.io/pause
name: initcontainer1
securityContext: {}
securityContext:
seccompProfile:
type: RuntimeDefault

View File

@ -0,0 +1,15 @@
apiVersion: v1
kind: Pod
metadata:
name: selinuxoptions0
spec:
containers:
- image: k8s.gcr.io/pause
name: container1
securityContext: {}
initContainers:
- image: k8s.gcr.io/pause
name: initcontainer1
securityContext:
seLinuxOptions: {}
securityContext: {}

View File

@ -0,0 +1,21 @@
apiVersion: v1
kind: Pod
metadata:
name: selinuxoptions1
spec:
containers:
- image: k8s.gcr.io/pause
name: container1
securityContext:
seLinuxOptions:
level: somevalue
type: container_init_t
initContainers:
- image: k8s.gcr.io/pause
name: initcontainer1
securityContext:
seLinuxOptions:
type: container_kvm_t
securityContext:
seLinuxOptions:
type: container_t

View File

@ -0,0 +1,12 @@
apiVersion: v1
kind: Pod
metadata:
name: sysctls0
spec:
containers:
- image: k8s.gcr.io/pause
name: container1
initContainers:
- image: k8s.gcr.io/pause
name: initcontainer1
securityContext: {}

View File

@ -0,0 +1,23 @@
apiVersion: v1
kind: Pod
metadata:
name: sysctls1
spec:
containers:
- image: k8s.gcr.io/pause
name: container1
initContainers:
- image: k8s.gcr.io/pause
name: initcontainer1
securityContext:
sysctls:
- name: kernel.shm_rmid_forced
value: "0"
- name: net.ipv4.ip_local_port_range
value: 1024 65535
- name: net.ipv4.tcp_syncookies
value: "0"
- name: net.ipv4.ping_group_range
value: 1 0
- name: net.ipv4.ip_unprivileged_port_start
value: "1024"

View File

@ -0,0 +1,13 @@
apiVersion: v1
kind: Pod
metadata:
annotations:
container.apparmor.security.beta.kubernetes.io/container1: unconfined
name: apparmorprofile0
spec:
containers:
- image: k8s.gcr.io/pause
name: container1
initContainers:
- image: k8s.gcr.io/pause
name: initcontainer1

View File

@ -0,0 +1,13 @@
apiVersion: v1
kind: Pod
metadata:
annotations:
container.apparmor.security.beta.kubernetes.io/initcontainer1: unconfined
name: apparmorprofile1
spec:
containers:
- image: k8s.gcr.io/pause
name: container1
initContainers:
- image: k8s.gcr.io/pause
name: initcontainer1

View File

@ -0,0 +1,18 @@
apiVersion: v1
kind: Pod
metadata:
name: capabilities_baseline0
spec:
containers:
- image: k8s.gcr.io/pause
name: container1
securityContext:
capabilities:
add:
- NET_RAW
initContainers:
- image: k8s.gcr.io/pause
name: initcontainer1
securityContext:
capabilities: {}
securityContext: {}

View File

@ -0,0 +1,18 @@
apiVersion: v1
kind: Pod
metadata:
name: capabilities_baseline1
spec:
containers:
- image: k8s.gcr.io/pause
name: container1
securityContext:
capabilities: {}
initContainers:
- image: k8s.gcr.io/pause
name: initcontainer1
securityContext:
capabilities:
add:
- NET_RAW
securityContext: {}

View File

@ -0,0 +1,18 @@
apiVersion: v1
kind: Pod
metadata:
name: capabilities_baseline2
spec:
containers:
- image: k8s.gcr.io/pause
name: container1
securityContext:
capabilities:
add:
- chown
initContainers:
- image: k8s.gcr.io/pause
name: initcontainer1
securityContext:
capabilities: {}
securityContext: {}

View File

@ -0,0 +1,18 @@
apiVersion: v1
kind: Pod
metadata:
name: capabilities_baseline3
spec:
containers:
- image: k8s.gcr.io/pause
name: container1
securityContext:
capabilities:
add:
- CAP_CHOWN
initContainers:
- image: k8s.gcr.io/pause
name: initcontainer1
securityContext:
capabilities: {}
securityContext: {}

View File

@ -0,0 +1,12 @@
apiVersion: v1
kind: Pod
metadata:
name: hostnamespaces0
spec:
containers:
- image: k8s.gcr.io/pause
name: container1
hostIPC: true
initContainers:
- image: k8s.gcr.io/pause
name: initcontainer1

View File

@ -0,0 +1,12 @@
apiVersion: v1
kind: Pod
metadata:
name: hostnamespaces1
spec:
containers:
- image: k8s.gcr.io/pause
name: container1
hostNetwork: true
initContainers:
- image: k8s.gcr.io/pause
name: initcontainer1

View File

@ -0,0 +1,12 @@
apiVersion: v1
kind: Pod
metadata:
name: hostnamespaces2
spec:
containers:
- image: k8s.gcr.io/pause
name: container1
hostPID: true
initContainers:
- image: k8s.gcr.io/pause
name: initcontainer1

View File

@ -0,0 +1,17 @@
apiVersion: v1
kind: Pod
metadata:
name: hostpathvolumes0
spec:
containers:
- image: k8s.gcr.io/pause
name: container1
initContainers:
- image: k8s.gcr.io/pause
name: initcontainer1
volumes:
- emptyDir: {}
name: volume-emptydir
- hostPath:
path: /a
name: volume-hostpath

View File

@ -0,0 +1,18 @@
apiVersion: v1
kind: Pod
metadata:
name: hostpathvolumes1
spec:
containers:
- image: k8s.gcr.io/pause
name: container1
initContainers:
- image: k8s.gcr.io/pause
name: initcontainer1
volumes:
- hostPath:
path: /a
name: volume-hostpath-a
- hostPath:
path: /b
name: volume-hostpath-b

View File

@ -0,0 +1,14 @@
apiVersion: v1
kind: Pod
metadata:
name: hostports0
spec:
containers:
- image: k8s.gcr.io/pause
name: container1
ports:
- containerPort: 12345
hostPort: 12345
initContainers:
- image: k8s.gcr.io/pause
name: initcontainer1

View File

@ -0,0 +1,14 @@
apiVersion: v1
kind: Pod
metadata:
name: hostports1
spec:
containers:
- image: k8s.gcr.io/pause
name: container1
initContainers:
- image: k8s.gcr.io/pause
name: initcontainer1
ports:
- containerPort: 12346
hostPort: 12346

View File

@ -0,0 +1,19 @@
apiVersion: v1
kind: Pod
metadata:
name: hostports2
spec:
containers:
- image: k8s.gcr.io/pause
name: container1
ports:
- containerPort: 12345
hostPort: 12345
- containerPort: 12347
initContainers:
- image: k8s.gcr.io/pause
name: initcontainer1
ports:
- containerPort: 12346
hostPort: 12346
- containerPort: 12348

View File

@ -0,0 +1,15 @@
apiVersion: v1
kind: Pod
metadata:
name: privileged0
spec:
containers:
- image: k8s.gcr.io/pause
name: container1
securityContext:
privileged: true
initContainers:
- image: k8s.gcr.io/pause
name: initcontainer1
securityContext: {}
securityContext: {}

View File

@ -0,0 +1,15 @@
apiVersion: v1
kind: Pod
metadata:
name: privileged1
spec:
containers:
- image: k8s.gcr.io/pause
name: container1
securityContext: {}
initContainers:
- image: k8s.gcr.io/pause
name: initcontainer1
securityContext:
privileged: true
securityContext: {}

View File

@ -0,0 +1,15 @@
apiVersion: v1
kind: Pod
metadata:
name: procmount0
spec:
containers:
- image: k8s.gcr.io/pause
name: container1
securityContext:
procMount: Unmasked
initContainers:
- image: k8s.gcr.io/pause
name: initcontainer1
securityContext: {}
securityContext: {}

View File

@ -0,0 +1,15 @@
apiVersion: v1
kind: Pod
metadata:
name: procmount1
spec:
containers:
- image: k8s.gcr.io/pause
name: container1
securityContext: {}
initContainers:
- image: k8s.gcr.io/pause
name: initcontainer1
securityContext:
procMount: Unmasked
securityContext: {}

View File

@ -0,0 +1,16 @@
apiVersion: v1
kind: Pod
metadata:
name: seccompprofile_baseline0
spec:
containers:
- image: k8s.gcr.io/pause
name: container1
securityContext: {}
initContainers:
- image: k8s.gcr.io/pause
name: initcontainer1
securityContext: {}
securityContext:
seccompProfile:
type: Unconfined

View File

@ -0,0 +1,16 @@
apiVersion: v1
kind: Pod
metadata:
name: seccompprofile_baseline1
spec:
containers:
- image: k8s.gcr.io/pause
name: container1
securityContext:
seccompProfile:
type: Unconfined
initContainers:
- image: k8s.gcr.io/pause
name: initcontainer1
securityContext: {}
securityContext: {}

View File

@ -0,0 +1,16 @@
apiVersion: v1
kind: Pod
metadata:
name: seccompprofile_baseline2
spec:
containers:
- image: k8s.gcr.io/pause
name: container1
securityContext: {}
initContainers:
- image: k8s.gcr.io/pause
name: initcontainer1
securityContext:
seccompProfile:
type: Unconfined
securityContext: {}

View File

@ -0,0 +1,18 @@
apiVersion: v1
kind: Pod
metadata:
name: selinuxoptions0
spec:
containers:
- image: k8s.gcr.io/pause
name: container1
securityContext:
seLinuxOptions: {}
initContainers:
- image: k8s.gcr.io/pause
name: initcontainer1
securityContext:
seLinuxOptions: {}
securityContext:
seLinuxOptions:
type: somevalue

View File

@ -0,0 +1,18 @@
apiVersion: v1
kind: Pod
metadata:
name: selinuxoptions1
spec:
containers:
- image: k8s.gcr.io/pause
name: container1
securityContext:
seLinuxOptions:
type: somevalue
initContainers:
- image: k8s.gcr.io/pause
name: initcontainer1
securityContext:
seLinuxOptions: {}
securityContext:
seLinuxOptions: {}

View File

@ -0,0 +1,18 @@
apiVersion: v1
kind: Pod
metadata:
name: selinuxoptions2
spec:
containers:
- image: k8s.gcr.io/pause
name: container1
securityContext:
seLinuxOptions: {}
initContainers:
- image: k8s.gcr.io/pause
name: initcontainer1
securityContext:
seLinuxOptions:
type: somevalue
securityContext:
seLinuxOptions: {}

View File

@ -0,0 +1,18 @@
apiVersion: v1
kind: Pod
metadata:
name: selinuxoptions3
spec:
containers:
- image: k8s.gcr.io/pause
name: container1
securityContext:
seLinuxOptions: {}
initContainers:
- image: k8s.gcr.io/pause
name: initcontainer1
securityContext:
seLinuxOptions: {}
securityContext:
seLinuxOptions:
user: somevalue

View File

@ -0,0 +1,18 @@
apiVersion: v1
kind: Pod
metadata:
name: selinuxoptions4
spec:
containers:
- image: k8s.gcr.io/pause
name: container1
securityContext:
seLinuxOptions: {}
initContainers:
- image: k8s.gcr.io/pause
name: initcontainer1
securityContext:
seLinuxOptions: {}
securityContext:
seLinuxOptions:
role: somevalue

View File

@ -0,0 +1,15 @@
apiVersion: v1
kind: Pod
metadata:
name: sysctls0
spec:
containers:
- image: k8s.gcr.io/pause
name: container1
initContainers:
- image: k8s.gcr.io/pause
name: initcontainer1
securityContext:
sysctls:
- name: othersysctl
value: other

View File

@ -0,0 +1,19 @@
apiVersion: v1
kind: Pod
metadata:
name: windowshostprocess0
spec:
containers:
- image: k8s.gcr.io/pause
name: container1
securityContext:
windowsOptions: {}
hostNetwork: true
initContainers:
- image: k8s.gcr.io/pause
name: initcontainer1
securityContext:
windowsOptions: {}
securityContext:
windowsOptions:
hostProcess: true

View File

@ -0,0 +1,20 @@
apiVersion: v1
kind: Pod
metadata:
name: windowshostprocess1
spec:
containers:
- image: k8s.gcr.io/pause
name: container1
securityContext:
windowsOptions:
hostProcess: true
hostNetwork: true
initContainers:
- image: k8s.gcr.io/pause
name: initcontainer1
securityContext:
windowsOptions:
hostProcess: true
securityContext:
windowsOptions: {}

View File

@ -0,0 +1,13 @@
apiVersion: v1
kind: Pod
metadata:
annotations:
container.apparmor.security.beta.kubernetes.io/container1: localhost/foo
name: apparmorprofile0
spec:
containers:
- image: k8s.gcr.io/pause
name: container1
initContainers:
- image: k8s.gcr.io/pause
name: initcontainer1

View File

@ -0,0 +1,11 @@
apiVersion: v1
kind: Pod
metadata:
name: base
spec:
containers:
- image: k8s.gcr.io/pause
name: container1
initContainers:
- image: k8s.gcr.io/pause
name: initcontainer1

View File

@ -0,0 +1,44 @@
apiVersion: v1
kind: Pod
metadata:
name: capabilities_baseline0
spec:
containers:
- image: k8s.gcr.io/pause
name: container1
securityContext:
capabilities:
add:
- AUDIT_WRITE
- CHOWN
- DAC_OVERRIDE
- FOWNER
- FSETID
- KILL
- MKNOD
- NET_BIND_SERVICE
- SETFCAP
- SETGID
- SETPCAP
- SETUID
- SYS_CHROOT
initContainers:
- image: k8s.gcr.io/pause
name: initcontainer1
securityContext:
capabilities:
add:
- AUDIT_WRITE
- CHOWN
- DAC_OVERRIDE
- FOWNER
- FSETID
- KILL
- MKNOD
- NET_BIND_SERVICE
- SETFCAP
- SETGID
- SETPCAP
- SETUID
- SYS_CHROOT
securityContext: {}

View File

@ -0,0 +1,15 @@
apiVersion: v1
kind: Pod
metadata:
name: hostports0
spec:
containers:
- image: k8s.gcr.io/pause
name: container1
ports:
- containerPort: 12345
initContainers:
- image: k8s.gcr.io/pause
name: initcontainer1
ports:
- containerPort: 12346

View File

@ -0,0 +1,16 @@
apiVersion: v1
kind: Pod
metadata:
name: privileged0
spec:
containers:
- image: k8s.gcr.io/pause
name: container1
securityContext:
privileged: false
initContainers:
- image: k8s.gcr.io/pause
name: initcontainer1
securityContext:
privileged: false
securityContext: {}

View File

@ -0,0 +1,16 @@
apiVersion: v1
kind: Pod
metadata:
name: procmount0
spec:
containers:
- image: k8s.gcr.io/pause
name: container1
securityContext:
procMount: Default
initContainers:
- image: k8s.gcr.io/pause
name: initcontainer1
securityContext:
procMount: Default
securityContext: {}

View File

@ -0,0 +1,18 @@
apiVersion: v1
kind: Pod
metadata:
name: seccompprofile_baseline0
spec:
containers:
- image: k8s.gcr.io/pause
name: container1
securityContext:
seccompProfile:
type: RuntimeDefault
initContainers:
- image: k8s.gcr.io/pause
name: initcontainer1
securityContext: {}
securityContext:
seccompProfile:
type: RuntimeDefault

View File

@ -0,0 +1,15 @@
apiVersion: v1
kind: Pod
metadata:
name: selinuxoptions0
spec:
containers:
- image: k8s.gcr.io/pause
name: container1
securityContext: {}
initContainers:
- image: k8s.gcr.io/pause
name: initcontainer1
securityContext:
seLinuxOptions: {}
securityContext: {}

View File

@ -0,0 +1,21 @@
apiVersion: v1
kind: Pod
metadata:
name: selinuxoptions1
spec:
containers:
- image: k8s.gcr.io/pause
name: container1
securityContext:
seLinuxOptions:
level: somevalue
type: container_init_t
initContainers:
- image: k8s.gcr.io/pause
name: initcontainer1
securityContext:
seLinuxOptions:
type: container_kvm_t
securityContext:
seLinuxOptions:
type: container_t

View File

@ -0,0 +1,12 @@
apiVersion: v1
kind: Pod
metadata:
name: sysctls0
spec:
containers:
- image: k8s.gcr.io/pause
name: container1
initContainers:
- image: k8s.gcr.io/pause
name: initcontainer1
securityContext: {}

View File

@ -0,0 +1,23 @@
apiVersion: v1
kind: Pod
metadata:
name: sysctls1
spec:
containers:
- image: k8s.gcr.io/pause
name: container1
initContainers:
- image: k8s.gcr.io/pause
name: initcontainer1
securityContext:
sysctls:
- name: kernel.shm_rmid_forced
value: "0"
- name: net.ipv4.ip_local_port_range
value: 1024 65535
- name: net.ipv4.tcp_syncookies
value: "0"
- name: net.ipv4.ping_group_range
value: 1 0
- name: net.ipv4.ip_unprivileged_port_start
value: "1024"

View File

@ -0,0 +1,25 @@
apiVersion: v1
kind: Pod
metadata:
name: allowprivilegeescalation0
spec:
containers:
- image: k8s.gcr.io/pause
name: container1
securityContext:
allowPrivilegeEscalation: true
capabilities:
drop:
- ALL
initContainers:
- image: k8s.gcr.io/pause
name: initcontainer1
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
securityContext:
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault

View File

@ -0,0 +1,25 @@
apiVersion: v1
kind: Pod
metadata:
name: allowprivilegeescalation1
spec:
containers:
- image: k8s.gcr.io/pause
name: container1
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
initContainers:
- image: k8s.gcr.io/pause
name: initcontainer1
securityContext:
allowPrivilegeEscalation: true
capabilities:
drop:
- ALL
securityContext:
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault

View File

@ -0,0 +1,24 @@
apiVersion: v1
kind: Pod
metadata:
name: allowprivilegeescalation2
spec:
containers:
- image: k8s.gcr.io/pause
name: container1
securityContext:
capabilities:
drop:
- ALL
initContainers:
- image: k8s.gcr.io/pause
name: initcontainer1
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
securityContext:
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault

View File

@ -0,0 +1,20 @@
apiVersion: v1
kind: Pod
metadata:
name: allowprivilegeescalation3
spec:
containers:
- image: k8s.gcr.io/pause
name: container1
initContainers:
- image: k8s.gcr.io/pause
name: initcontainer1
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
securityContext:
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault

View File

@ -0,0 +1,27 @@
apiVersion: v1
kind: Pod
metadata:
annotations:
container.apparmor.security.beta.kubernetes.io/container1: unconfined
name: apparmorprofile0
spec:
containers:
- image: k8s.gcr.io/pause
name: container1
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
initContainers:
- image: k8s.gcr.io/pause
name: initcontainer1
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
securityContext:
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault

View File

@ -0,0 +1,27 @@
apiVersion: v1
kind: Pod
metadata:
annotations:
container.apparmor.security.beta.kubernetes.io/initcontainer1: unconfined
name: apparmorprofile1
spec:
containers:
- image: k8s.gcr.io/pause
name: container1
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
initContainers:
- image: k8s.gcr.io/pause
name: initcontainer1
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
securityContext:
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault

View File

@ -0,0 +1,27 @@
apiVersion: v1
kind: Pod
metadata:
name: capabilities_baseline0
spec:
containers:
- image: k8s.gcr.io/pause
name: container1
securityContext:
allowPrivilegeEscalation: false
capabilities:
add:
- NET_RAW
drop:
- ALL
initContainers:
- image: k8s.gcr.io/pause
name: initcontainer1
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
securityContext:
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault

View File

@ -0,0 +1,27 @@
apiVersion: v1
kind: Pod
metadata:
name: capabilities_baseline1
spec:
containers:
- image: k8s.gcr.io/pause
name: container1
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
initContainers:
- image: k8s.gcr.io/pause
name: initcontainer1
securityContext:
allowPrivilegeEscalation: false
capabilities:
add:
- NET_RAW
drop:
- ALL
securityContext:
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault

View File

@ -0,0 +1,27 @@
apiVersion: v1
kind: Pod
metadata:
name: capabilities_baseline2
spec:
containers:
- image: k8s.gcr.io/pause
name: container1
securityContext:
allowPrivilegeEscalation: false
capabilities:
add:
- chown
drop:
- ALL
initContainers:
- image: k8s.gcr.io/pause
name: initcontainer1
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
securityContext:
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault

View File

@ -0,0 +1,27 @@
apiVersion: v1
kind: Pod
metadata:
name: capabilities_baseline3
spec:
containers:
- image: k8s.gcr.io/pause
name: container1
securityContext:
allowPrivilegeEscalation: false
capabilities:
add:
- CAP_CHOWN
drop:
- ALL
initContainers:
- image: k8s.gcr.io/pause
name: initcontainer1
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
securityContext:
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault

Some files were not shown because too many files have changed in this diff Show More